From patchwork Thu Sep 27 22:23:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 10618671 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E03B1759 for ; Thu, 27 Sep 2018 22:23:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 699E42B96F for ; Thu, 27 Sep 2018 22:23:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5B2932B977; Thu, 27 Sep 2018 22:23:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6C532B96F for ; Thu, 27 Sep 2018 22:23:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727068AbeI1EoI (ORCPT ); Fri, 28 Sep 2018 00:44:08 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:49667 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726112AbeI1EoI (ORCPT ); Fri, 28 Sep 2018 00:44:08 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1g5eh4-0000VX-Cc; Thu, 27 Sep 2018 22:23:34 +0000 From: Colin King To: Greg Kroah-Hartman , Steve Bayless , Guido Kiener , linux-usb@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: usbtmc: check size before allocating buffer and remove duplicated allocation Date: Thu, 27 Sep 2018 23:23:32 +0100 Message-Id: <20180927222332.13360-1-colin.king@canonical.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Colin Ian King Currently the allocation of a buffer is performed before a sanity check on the required buffer size and if the buffer size is too large the error exit return leaks the allocated buffer. Fix this by checking the size before allocating. Also, the same buffer is allocated again inside an if statement, causing the first allocation to be leaked. Fix this by removing this second redundant allocation. Detected by CoverityScan, CID#1473697 ("Resource leak") Fixes: 658f24f4523e ("usb: usbtmc: Add ioctl for generic requests on control") Signed-off-by: Colin Ian King --- drivers/usb/class/usbtmc.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 0fcb81a1399b..c01edff190d2 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -1895,18 +1895,14 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, if (res) return -EFAULT; + if (request.req.wLength > USBTMC_BUFSIZE) + return -EMSGSIZE; + buffer = kmalloc(request.req.wLength, GFP_KERNEL); if (!buffer) return -ENOMEM; - if (request.req.wLength > USBTMC_BUFSIZE) - return -EMSGSIZE; - if (request.req.wLength) { - buffer = kmalloc(request.req.wLength, GFP_KERNEL); - if (!buffer) - return -ENOMEM; - if ((request.req.bRequestType & USB_DIR_IN) == 0) { /* Send control data to device */ res = copy_from_user(buffer, request.data,